From patchwork Wed Sep 14 08:59:36 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 2758 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director13.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id SHdwAjAlImMSLgAAIUCqbw (envelope-from ) for ; Wed, 14 Sep 2022 15:02:08 -0400 Received: from proxy13.mail.ord1d.rsapps.net ([172.30.191.6]) by director13.mail.ord1d.rsapps.net with LMTP id sG4+AjAlImO0PAAA91zNiA (envelope-from ) for ; Wed, 14 Sep 2022 15:02:08 -0400 Received: from smtp12.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy13.mail.ord1d.rsapps.net with LMTPS id 8DAPAjAlImOrAwAAgjf6aA (envelope-from ) for ; Wed, 14 Sep 2022 15:02:08 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp12.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=unstable.cc; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: b9ca15a2-345f-11ed-8e35-bc305bf03e5c-1-1 Received: from [216.105.38.7] ([216.105.38.7:39746] helo=lists.sourceforge.net) by smtp12.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id A0/65-06477-E2522236; Wed, 14 Sep 2022 15:02:06 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1oYXdb-0008QE-Qu; Wed, 14 Sep 2022 19:01:31 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1oYXda-0008Q3-Ql for openvpn-devel@lists.sourceforge.net; Wed, 14 Sep 2022 19:01:30 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=SCtxcC+H6g5wyiX38I2GgQwaFXyenBcTPUMZHYXkLeM=; b=H/p7GJIG0VgKWjpHthdm6ttASz K5Ds+x+n0SlP6IzO3P97wU2ooBBQBhDfOp4g5lTDsekMYm/Eh5naHm/Yxy7kvoAy1gioXqHB7A+Pk o+nh/CSveQ9+Gr6vTz46PK+2RYvQYIVoGaNyuNDARdbTvoJkrR/OqbB0+bDfSNGFwQII=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=SCtxcC+H6g5wyiX38I2GgQwaFXyenBcTPUMZHYXkLeM=; b=G TJfdR6vPhipFtCiXLbchqQbd2bX5Lq6Sj12jwFtpXgFkXKh9s9rS6TejVbGQG6iyBS8ktRMSs+UzW eoh03zADU2ftUHAPb7Fgtih3FIMpgUBEy/2H5TvXvdM0apOxfJpFO0aKwm3Vnn+S5VuqLPBCbueQo tmYrODIHMB/evQwM=; Received: from wilbur.contactoffice.com ([212.3.242.68]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1oYXdV-008Ih3-9U for openvpn-devel@lists.sourceforge.net; Wed, 14 Sep 2022 19:01:30 +0000 Received: from smtpauth1.co-bxl (smtpauth1.co-bxl [10.2.0.15]) by wilbur.contactoffice.com (Postfix) with ESMTP id EB47C34DD; Wed, 14 Sep 2022 21:01:18 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1663182078; s=20220809-q8oc; d=unstable.cc; i=a@unstable.cc; h=From:Cc:Date:Message-Id:MIME-Version:Content-Transfer-Encoding; l=8096; bh=SCtxcC+H6g5wyiX38I2GgQwaFXyenBcTPUMZHYXkLeM=; b=L5zVjoj/Cv48FkYkKPJ/A4kC0M7p7sBEV71G5Jc7EONm5YohNCXrx/8Ee2WCvZQh Ku+Asq8VZ+EMBAOC3f+t9eKJ1dm26L9FTWUMX0Knc42uvxj3DR0paAed5Q8NtEDAQvh v6c95ineSFEff2FX1/fUoSwJof+5SZgN+WikBp+6wuFog00PNGc1No9NgmdkOa4YmKT WV3P+Ce1/ds/2/LXZ4pJ3chVMGev+eLwaSOjfHiFTYUQWTmCRZAsZvKmnp+DV+Orxma z9vgNqmwopSx/+87dbVWfeL2vx5SudzJD08G46QBemgryv9KzF6EK9a3W/dsWhr07+S H/ZmaR1ZfQ== Received: by smtp.mailfence.com with ESMTPSA ; Wed, 14 Sep 2022 21:01:16 +0200 (CEST) From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Wed, 14 Sep 2022 20:59:36 +0200 Message-Id: <20220914185937.31423-1-a@unstable.cc> X-Mailer: git-send-email 2.35.1 MIME-Version: 1.0 X-Spam-Status: No, hits=-2.9 required=4.7 symbols=ALL_TRUSTED, BAYES_00, T_FILL_THIS_FORM_FRAUD_PHISH, T_FILL_THIS_FORM_SHORT, T_SCC_BODY_TEXT_LINE device=10.2.0.1 X-ContactOffice-Account: com:375058688 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: --auth-user-pass is probably the only option expecting a filename as argument that cannot be inline'd as of today. This patch allows specifying username and password inline in the config file within the tag. Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: unstable.cc] -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [212.3.242.68 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.0 T_SCC_BODY_TEXT_LINE No description available. 0.0 T_FILL_THIS_FORM_SHORT Fill in a short form with personal information 0.0 T_FILL_THIS_FORM_FRAUD_PHISH Answer suspicious question(s) X-Headers-End: 1oYXdV-008Ih3-9U Subject: [Openvpn-devel] [PATCH 1/2] auth-user-pass: add support for inline credentials X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox --auth-user-pass is probably the only option expecting a filename as argument that cannot be inline'd as of today. This patch allows specifying username and password inline in the config file within the tag. This logic was already implemented for --http-proxy-user-pass, therefore it was just about applying it to this specific option as well. Note that the current logic expects username and password to always be specified when inline. Therefore omitting the password will result in storing an empty password. A later patch will change this behaviour to make it consistent with the classic case (username writte in file), where the password is requested via stdin when missing. While a it, add an empty line between prototypes in init.c to make uncrustify happy. Signed-off-by: Antonio Quartulli --- Changes.rst | 4 ++++ src/openvpn/init.c | 9 +++++++-- src/openvpn/options.c | 12 +++++++----- src/openvpn/options.h | 1 + src/openvpn/ssl.c | 24 ++++++++++++++++++------ src/openvpn/ssl.h | 6 ++++-- src/openvpn/ssl_common.h | 1 + 7 files changed, 42 insertions(+), 15 deletions(-) diff --git a/Changes.rst b/Changes.rst index 275f8d64..2967533a 100644 --- a/Changes.rst +++ b/Changes.rst @@ -87,6 +87,10 @@ Data channel offloading with ovpn-dco this implies that peers must be running 2.6.0+ in order to have P2P-NCP which brings DATA_V2 packet support. +Inline auth username and password + Username and password can now be specified inline in the configuration file + within the tags. + Deprecated features ------------------- diff --git a/src/openvpn/init.c b/src/openvpn/init.c index f3770477..d3afa9a6 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -71,6 +71,7 @@ static const char *saved_pid_file_name; /* GLOBAL */ #define CF_INIT_TLS_AUTH_STANDALONE (1<<2) static void do_init_first_time(struct context *c); + static bool do_deferred_p2p_ncp(struct context *c); void @@ -593,9 +594,12 @@ init_query_passwords(const struct context *c) if (c->options.auth_user_pass_file) { #ifdef ENABLE_MANAGEMENT - auth_user_pass_setup(c->options.auth_user_pass_file, &c->options.sc_info); + auth_user_pass_setup(c->options.auth_user_pass_file, + c->options.auth_user_pass_file, + &c->options.sc_info); #else - auth_user_pass_setup(c->options.auth_user_pass_file, NULL); + auth_user_pass_setup(c->options.auth_user_pass_file, + c->options.auth_user_pass_file, NULL); #endif } } @@ -3061,6 +3065,7 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) to.client_config_dir_exclusive = options->client_config_dir; } to.auth_user_pass_file = options->auth_user_pass_file; + to.auth_user_pass_file_inline = options->auth_user_pass_file_inline; to.auth_token_generate = options->auth_token_generate; to.auth_token_lifetime = options->auth_token_lifetime; to.auth_token_call_auth = options->auth_token_call_auth; diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 765695da..2786c28b 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1556,7 +1556,7 @@ show_p2mp_parms(const struct options *o) SHOW_BOOL(client); SHOW_BOOL(pull); - SHOW_STR(auth_user_pass_file); + SHOW_STR_INLINE(auth_user_pass_file); gc_free(&gc); } @@ -4027,9 +4027,10 @@ options_postprocess_filechecks(struct options *options) options->management_user_pass, R_OK, "--management user/password file"); #endif /* ENABLE_MANAGEMENT */ - errs |= check_file_access(CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE, - options->auth_user_pass_file, R_OK, - "--auth-user-pass"); + errs |= check_file_access_inline(options->auth_user_pass_file_inline, + CHKACC_FILE|CHKACC_ACPTSTDIN|CHKACC_PRIVATE, + options->auth_user_pass_file, R_OK, + "--auth-user-pass"); /* ** System related ** */ errs |= check_file_access(CHKACC_FILE, options->chroot_dir, R_OK|X_OK, "--chroot directory"); @@ -7705,10 +7706,11 @@ add_option(struct options *options, } else if (streq(p[0], "auth-user-pass") && !p[2]) { - VERIFY_PERMISSION(OPT_P_GENERAL); + VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE); if (p[1]) { options->auth_user_pass_file = p[1]; + options->auth_user_pass_file_inline = is_inline; } else { diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 5488db31..c9144154 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -523,6 +523,7 @@ struct options int push_continuation; unsigned int push_option_types_found; const char *auth_user_pass_file; + bool auth_user_pass_file_inline; struct options_pre_connect *pre_connect; int scheduled_exit_interval; diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 15c8defc..b166da6d 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -396,23 +396,32 @@ static char *auth_challenge; /* GLOBAL */ #endif void -auth_user_pass_setup(const char *auth_file, const struct static_challenge_info *sci) +auth_user_pass_setup(const char *auth_file, bool is_inline, + const struct static_challenge_info *sci) { + unsigned int flags = GET_USER_PASS_MANAGEMENT; + + if (is_inline) + { + flags |= GET_USER_PASS_INLINE_CREDS; + } + auth_user_pass_enabled = true; if (!auth_user_pass.defined && !auth_token.defined) { #ifdef ENABLE_MANAGEMENT if (auth_challenge) /* dynamic challenge/response */ { + flags |= GET_USER_PASS_DYNAMIC_CHALLENGE; get_user_pass_cr(&auth_user_pass, auth_file, UP_TYPE_AUTH, - GET_USER_PASS_MANAGEMENT|GET_USER_PASS_DYNAMIC_CHALLENGE, + flags, auth_challenge); } else if (sci) /* static challenge response */ { - int flags = GET_USER_PASS_MANAGEMENT|GET_USER_PASS_STATIC_CHALLENGE; + flags |= GET_USER_PASS_STATIC_CHALLENGE; if (sci->flags & SC_ECHO) { flags |= GET_USER_PASS_STATIC_CHALLENGE_ECHO; @@ -425,7 +434,7 @@ auth_user_pass_setup(const char *auth_file, const struct static_challenge_info * } else #endif /* ifdef ENABLE_MANAGEMENT */ - get_user_pass(&auth_user_pass, auth_file, UP_TYPE_AUTH, GET_USER_PASS_MANAGEMENT); + get_user_pass(&auth_user_pass, auth_file, UP_TYPE_AUTH, flags); } } @@ -2165,9 +2174,12 @@ key_method_2_write(struct buffer *buf, struct tls_multi *multi, struct tls_sessi if (auth_user_pass_enabled || (auth_token.token_defined && auth_token.defined)) { #ifdef ENABLE_MANAGEMENT - auth_user_pass_setup(session->opt->auth_user_pass_file, session->opt->sci); + auth_user_pass_setup(session->opt->auth_user_pass_file, + session->opt->auth_user_pass_file_inline, + session->opt->sci); #else - auth_user_pass_setup(session->opt->auth_user_pass_file, NULL); + auth_user_pass_setup(session->opt->auth_user_pass_file, + session->opt->auth_user_pass_file_inline, NULL); #endif struct user_pass *up = &auth_user_pass; diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index ec0d2862..8a8a299f 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -367,9 +367,11 @@ void pem_password_setup(const char *auth_file); /* * Setup authentication username and password. If auth_file is given, use the - * credentials stored in the file. + * credentials stored in the file, however, if is_inline is true then auth_file + * contains the username/password inline. */ -void auth_user_pass_setup(const char *auth_file, const struct static_challenge_info *sc_info); +void auth_user_pass_setup(const char *auth_file, bool is_inline, + const struct static_challenge_info *sc_info); /* * Ensure that no caching is performed on authentication information diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index bf3ac67a..eb91de15 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -366,6 +366,7 @@ struct tls_options bool auth_user_pass_verify_script_via_file; const char *tmp_dir; const char *auth_user_pass_file; + bool auth_user_pass_file_inline; bool auth_token_generate; /**< Generate auth-tokens on successful * user/pass auth,seet via